{"id":"CVE-2021-24029","details":"A packet of death scenario is possible in mvfst via a specially crafted message during a QUIC session, which causes a crash via a failed assertion. Per QUIC specification, this particular message should be treated as a connection error. This issue affects mvfst versions prior to commit a67083ff4b8dcbb7ee2839da6338032030d712b0 and proxygen versions prior to v2021.03.15.00.","modified":"2026-04-11T13:53:58.075920Z","published":"2021-03-15T22:15:13.530Z","references":[{"type":"ADVISORY","url":"https://www.facebook.com/security/advisories/cve-2021-24029"},{"type":"FIX","url":"https://github.com/facebookincubator/mvfst/commit/a67083ff4b8dcbb7ee2839da6338032030d712b0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/facebook/mvfst","events":[{"introduced":"0"},{"fixed":"a67083ff4b8dcbb7ee2839da6338032030d712b0"}]},{"type":"GIT","repo":"https://github.com/facebook/proxygen","events":[{"introduced":"0"},{"fixed":"5eecfbdf288eaa1f69de04211587b0becd6b8b30"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2021.03.15.00"}]}}],"versions":["v0.18.0","v0.19.0","v0.20.0","v0.21.0","v0.22.0","v0.23.0","v0.24.0","v0.25.0","v0.26.0","v0.27.0","v0.28.0","v0.29.0","v0.30.0","v0.32.0","v2017.01.16.00","v2017.01.23.00","v2017.01.30.00","v2017.03.06.00","v2017.03.13.00","v2017.03.20.00","v2017.03.27.00","v2017.04.03.00","v2017.04.10.00","v2017.04.17.00","v2017.04.24.00","v2017.05.01.00","v2017.05.08.00","v2017.05.15.00","v2017.05.22.00","v2017.05.29.00","v2017.06.05.00","v2017.06.12.00","v2017.06.19.00","v2017.06.26.00","v2017.07.03.00","v2017.07.10.00","v2017.07.17.00","v2017.07.24.00","v2017.07.31.00","v2017.08.07.00","v2017.08.14.00","v2017.08.21.00","v2017.08.28.00","v2017.09.04.00","v2017.09.11.00","v2017.09.18.00","v2017.09.25.00","v2017.10.02.00","v2017.10.09.00","v2017.10.16.00","v2017.10.23.00","v2017.10.30.00","v2017.11.06.00","v2017.11.13.00","v2017.11.20.00","v2017.11.27.00","v2017.12.04.00","v2017.12.11.00","v2017.12.18.00","v2017.12.25.00","v2018.01.01.00","v2018.01.08.00","v2018.01.15.00","v2018.01.22.00","v2018.01.29.00","v2018.02.05.00","v2018.02.12.00","v2018.02.19.00","v2018.02.26.00","v2018.03.05.00","v2018.03.12.00","v2018.03.19.00","v2018.03.26.00","v2018.04.02.00","v2018.04.09.00","v2018.04.16.00","v2018.04.23.00","v2018.04.30.00","v2018.05.07.00","v2018.05.14.00","v2018.05.21.00","v2018.05.28.00","v2018.06.04.00","v2018.06.11.00","v2018.06.18.00","v2018.06.25.00","v2018.07.02.00","v2018.07.09.00","v2018.07.16.00","v2018.07.23.00","v2018.07.30.00","v2018.08.06.00","v2018.08.13.00","v2018.08.20.00","v2018.08.27.00","v2018.09.03.00","v2018.09.10.00","v2018.09.17.00","v2018.09.24.00","v2018.10.01.00","v2018.10.08.00","v2018.10.15.00","v2018.10.22.00","v2018.10.29.00","v2018.11.05.00","v2018.11.12.00","v2018.11.19.00","v2018.11.26.00","v2018.12.03.00","v2018.12.10.00","v2018.12.17.00","v2018.12.24.00","v2018.12.31.00","v2019.01.07.00","v2019.01.14.00","v2019.01.21.00","v2019.01.28.00","v2019.02.04.00","v2019.02.11.00","v2019.02.18.00","v2019.02.25.00","v2019.03.04.00","v2019.03.18.00","v2019.03.25.00","v2019.04.01.00","v2019.04.08.00","v2019.04.15.00","v2019.04.22.00","v2019.04.29.00","v2019.05.06.00","v2019.05.13.00","v2019.05.20.00","v2019.05.27.00","v2019.06.03.00","v2019.06.10.00","v2019.06.17.00","v2019.06.24.00","v2019.07.01.00","v2019.07.08.00","v2019.07.15.00","v2019.07.22.00","v2019.07.29.00","v2019.08.05.00","v2019.08.12.00","v2019.08.19.00","v2019.08.26.00","v2019.09.02.00","v2019.09.09.00","v2019.09.16.00","v2019.09.23.00","v2019.09.30.00","v2019.10.07.00","v2019.10.14.00","v2019.10.21.00","v2019.10.28.00","v2019.11.04.00","v2019.11.11.00","v2019.12.02.00","v2019.12.06.00","v2019.12.09.00","v2019.12.16.00","v2019.12.23.00","v2019.12.30.00","v2020.01.06.00","v2020.01.13.00","v2020.01.20.00","v2020.01.27.00","v2020.02.03.00","v2020.02.10.00","v2020.02.17.00","v2020.02.24.00","v2020.03.02.00","v2020.03.09.00","v2020.03.16.00","v2020.03.23.00","v2020.03.30.00","v2020.04.06.00","v2020.04.13.00","v2020.04.20.00","v2020.04.27.00","v2020.05.04.00","v2020.05.11.00","v2020.05.18.00","v2020.05.25.00","v2020.06.01.00","v2020.06.08.00","v2020.06.15.00","v2020.06.29.00","v2020.07.06.00","v2020.07.13.00","v2020.07.20.00","v2020.07.27.00","v2020.08.03.00","v2020.08.10.00","v2020.08.17.00","v2020.08.24.00","v2020.08.31.00","v2020.09.07.00","v2020.09.14.00","v2020.09.21.00","v2020.09.28.00","v2020.10.05.00","v2020.10.12.00","v2020.10.19.00","v2020.10.26.00","v2020.11.02.00","v2020.11.09.00","v2020.11.16.00","v2020.11.23.00","v2020.11.30.00","v2020.12.07.00","v2020.12.14.00","v2020.12.21.00","v2020.12.28.00","v2021.01.04.00","v2021.01.11.00","v2021.01.18.00","v2021.01.25.00","v2021.02.01.00","v2021.02.08.00","v2021.02.15.00","v2021.02.22.00","v2021.03.01.00"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-24029.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"2021-03-13"}]}],"vanir_signatures":[{"signature_type":"Line","target":{"file":"quic/server/test/QuicServerTransportTest.cpp"},"source":"https://github.com/facebook/mvfst/commit/a67083ff4b8dcbb7ee2839da6338032030d712b0","id":"CVE-2021-24029-0ac97656","digest":{"threshold":0.9,"line_hashes":["248342407626141050190838455811147751006","63115842605571238232503870268998523466","59415398707982213952760562342625542537"]},"deprecated":false,"signature_version":"v1"},{"signature_type":"Function","target":{"function":"updateHandshakeState","file":"quic/server/state/ServerStateMachine.cpp"},"source":"https://github.com/facebook/mvfst/commit/a67083ff4b8dcbb7ee2839da6338032030d712b0","id":"CVE-2021-24029-7a401d8f","digest":{"function_hash":"78808623916694169656464070640371600264","length":2119},"deprecated":false,"signature_version":"v1"},{"signature_type":"Line","target":{"file":"quic/server/state/ServerStateMachine.cpp"},"source":"https://github.com/facebook/mvfst/commit/a67083ff4b8dcbb7ee2839da6338032030d712b0","id":"CVE-2021-24029-b895e841","digest":{"threshold":0.9,"line_hashes":["293027751792032243636639078235767233321","312126279400361233045350196851108630886","158009563097796313893382886745609570661","252769741026856191361935555183191271809"]},"deprecated":false,"signature_version":"v1"}],"vanir_signatures_modified":"2026-04-11T13:53:58Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}